X-posted IBM-MAIN and RACF-L. I am looking at an SMF 80 record from a customer that I am having trouble making sense of. The customer is definitely a RACF user, not a TSS user. The customer I believe is on z/OS V2R1.
It is a valid SMF 80 record. The event.qualifier is 2.0. There are three relocatable sections: a 49 (User Name) that says "Detection Status", a 17 (Class name) that says "EK$CLASS" and a 1 (Resource Name) that says "EKCA.SECURITY.DETECTION". The record is 2959 bytes long, long for a RACF SMF record. So what's odd about it? 1. It is missing the RACF version SMF80VRM at offset 80 that was added to RACF around OS/390 V1R2. That leads me to believe the record was not produced by RACF. 2. Between roughly offset x'44' and offset x'B52' (the first relocatable section) there is binary data that looks like perhaps a series of binary counters that I am not familiar with. No recognizable EBCIDC data providing a clue. Does anyone have an idea what might be producing this record and where its format might be documented? It's at a customer so I don't have a thorough knowledge of what third-party products might be running, etc., etc. Thanks, Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN